1.Dd November 16, 1994 2.Dt IPFW 8 SMM 3.Os FreeBSD 4.Sh NAME 5.Nm ipfw 6.Nd controlling utility for IP firewall / IP accounting facilities. 7.Sh SYNOPSIS 8.Nm 9.Oo 10.Fl n 11.Oc 12.Ar entry_action chain_entry_pattern 13.Nm ipfw 14.Oo 15.Fl ans 16.Oc 17.Ar chain_action chain[s]_type 18.\" ipfw [-n] <entry-action> <chain entry pattern> 19.\" ipfw [-ans] <chain-action> <chain[s] type> 20.Sh DESCRIPTION 21In the first synopsis form, 22.Nm 23controls the firewall and accounting chains. In the second 24synopsis form, 25.Nm 26sets the global firewall / accounting properties and 27show the chain list's contents. 28.Pp 29The following options are available: 30.Bl -tag -width flag 31.It Fl a 32While listing, show counter values. This option is the only way to see 33accounting records. Works only with 34.Fl s 35.It Fl n 36Do not resolve anything. When setting entries, do not try to resolve a 37given address. When listing, display addresses in numeric form. 38.It Fl s 39Short listing form. By default, the listing format is compatible with 40.Nm 41input string format, so you can save listings to file and then reuse 42them. With this option list format is much more short but incompatible 43with the 44.Nm 45syntax. 46.El 47.Pp 48These are the valid 49.Ar entry_actions : 50.Bl -hang -offset flag -width 1234567890123456 51.It Nm addf[irewall] 52add entry to firewall chain. 53.It Nm delf[irewall] 54remove entry from firewall chain. 55.It Nm adda[ccounting] 56add entry to accounting chain. 57.It Nm dela[ccounting] 58remove entry from accounting chain. 59.It Nm clr[accounting] 60clear counters for accounting chain entry. 61.El 62.Pp 63If no 64.Ar entry_action 65is specified, it will default to 66.Nm addf[irewall] 67or 68.Nm adda[ccounting] , 69depending on the 70.Ar chain_entry_pattern 71specified. 72.Pp 73The valid 74.Ar chain_actions 75are: 76.Bl -hang -offset flag -width 123456789 77.It Nm f[lush] 78remove all entries in firewall / accounting chains. 79.It Nm l[ist] 80display all entries in firewall / accounting chains. 81.It Nm z[ero] 82clear chain counters (accounting only). 83.It Nm p[olicy] 84set default policy properties. 85.El 86.Pp 87The 88.Ar chain_entry_pattern 89structure is: 90.Pp 91.Dl [keyword] [protocol] [address pattern] 92.Pp 93For the firewall chain, valid 94.Em keywords 95are: 96.Bl -hang -offset flag -width 12345678 97.It Nm reject 98Reject the packet, and send an 99.Tn ICMP HOST_UNREACHABLE 100packet to the source. 101.It Nm lreject 102The same as 103.Nm reject , 104but also log the packets details. 105.It Nm deny 106Reject the packet. 107.It Nm ldeny 108The same as 109.Nm deny , 110but also log the packets details. 111.It Nm log 112Accept the packet, and log it. 113.It Nm accept 114Accept the packet (obviously). 115.It Nm pass 116A synonym for accept. 117.El 118 119.Pp 120For the accounting chain, valid 121.Em keywords 122are: 123.Bl -tag -width flag 124.It Nm single 125Log packets matching entry. 126.It Nm bidirectional 127Log packets matching entry and also those going in the 128opposite direction (from 129.Dq dst 130to 131.Dq src ) . 132.El 133.Pp 134Each keyword will be recognized by the shortest unambigious prefix. 135.Pp 136Recognised 137.Em protocols 138are: 139.Bl -hang -offset flag -width 123456 140.It Nm all 141Matches any IP packet. 142.It Nm icmp 143Matches ICMP packets. 144.It Nm tcp 145Matches TCP packets. 146.It Nm udp 147Matches UDP packets. 148.It Nm syn 149Matches the TCP SYN packet used in initiating a TCP connection. It 150does not match the packet returned from a destination machine which 151has the SYN and ACK bits set. 152.El 153.Pp 154The 155.Em address pattern 156is: 157.Pp 158.Dl from <address/mask>[ports] to <address/mask][ports] [via <interface>] 159.Pp 160You can only specify 161.Em ports 162with 163.Em protocols 164which actually have ports (TCP, UDP and SYN). 165.Pp 166The order of 167.Sq from/to/via 168keywords is unimportant. You can skip any of them, which will be 169then substituted by default entry matching any 170.Sq from/to/via 171packet kind. 172.Pp 173The 174.Em <address/mask> 175is defined as: 176.Pp 177.Dl <address|name>[/mask_bits|:mask_pattern] 178.Pp 179.Em mask bits 180is the decimal number of bits set in the address mask. 181.Em mask pattern 182has the form of an IP address to be AND'ed logically with the address 183given. The keyword 184.Em any 185can be used to specify 186.Dq any IP . 187The IP address or name given is 188.Em NOT 189checked, and the wrong value 190causes the entry to not match anything. 191.Pp 192The 193.Em ports 194to be blocked are specified as: 195.Dl Ns port Ns Op ,port Ns Op ,... 196or: 197.Dl port:port 198.Pp 199to specify a range of ports. The name of a service (from 200.Pa /etc/services ) 201can be used instead of 202a numeric port value. 203.Pp 204The 205.Em via <interface> 206entry is optional and may specify IP address/domain name of local IP 207interface, or interface name (e.g. 208.Em ed0 ) 209to match only packets coming 210through this interface. The keyword 211.Em via 212can be substituted by 213.Em on , 214for readability reasons. 215.Pp 216The 217.Em l[ist] 218command may be passed: 219.Pp 220.Dl f[irewall] | a[ccounting] 221.Pp 222to list specific chain or none to list all of chains. The long output 223format (default) is compatible with the syntax used by the 224.Nm 225utility. 226.Pp 227The 228.Em f[lush] 229command may be passed: 230.Pp 231.Dl f[irewall] | a[ccounting] 232.Pp 233to remove all entries from firewall or from accounting chain. Without 234an argument it will remove all entries from both chains. 235.Pp 236The 237.Em z[ero] 238command needs no arguments. This command clears all counters for the 239entire accounting chain. 240.Pp 241The 242.Em p[olicy] 243command can be given 244.Pp 245.Dl a[ccept] | d[eny] 246.Pp 247to set default policy as denial/acceptance. Without an angument, the 248current policy status is displayed. 249.Sh EXAMPLES 250This command adds an entry which denies all tcp packets from 251.Em hacker.evil.org 252to the telnet port of 253.Em wolf.tambov.su 254from being forwarded by the host: 255.Pp 256.Dl ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet 257.Pp 258This one disallows any connection from the entire hackers network to 259my host: 260.Pp 261.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org 262.Pp 263Here is good usage of list command to see accounting records: 264.Pp 265.Dl ipfw -sa list accounting 266.Pp 267or in short form 268.Pp 269.Dl ipfw -sa l a 270.Pp 271Many more examples can be found in the file: 272.Dl Pa /usr/share/FAQ/ipfw.FAQ 273(missing for the moment) 274.Sh SEE ALSO 275.Xr gethostbyname 3 , 276.Xr getservbyport 3 , 277.Xr ip 4 , 278.Xr ipfirewall 4 , 279.Xr ipaccounting 4 , 280.Xr reboot 8 , 281.Xr syslogd 8 282.Sh BUGS 283Currently there is no method for filtering out specific types of ICMP 284packets. Either you don't filter ICMP at all, or all ICMP packets are 285filtered. 286.Pp 287The system has a rule weighting system for the firewall chain. This 288means that rules are not used in the order that they are specified. To 289see what rule ordering is used, use the 290.Em list 291command. 292.Pp 293.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! 294.Pp 295This program can put your computer in rather unusable state. When 296using it for the first time, work on the console of the computer, and 297do 298.Em NOT 299do anything you don't understand. 300.Pp 301Remember that 302.Dq ipfw flush 303can solve all the problems. Bear in mind that 304.Dq ipfw policy deny 305combined with some wrong chain entry (possible the only entry, which 306is designed to deny some external packets), can close your computer 307from the outer world for good (or at least until you can get to the 308console). 309.Sh HISTORY 310Initially this utility was written for BSDI by: 311.Pp 312.Dl Daniel Boulet <danny@BouletFermat.ab.ca> 313.Pp 314The FreeBSD version is written completely by: 315.Pp 316.Dl Ugen J.S.Antsilevich <ugen@FreeBSD.ORG> 317.Pp 318while the synopsis is partially compatible with the old one. 319